Skip to content

R
rules
Commit 7de08342 by Marc Rivero López Committed by GitHub
Options

Update APT1 rules 

Rules indented correctly
parent 79102bd9
Showing with 514 additions and 424 deletions
malware/APT_APT1.yar
...@@ -5,697 +5,745 @@ ...@@ -5,697 +5,745 @@
import "pe" import "pe"
rule LIGHTDART_APT1 { rule LIGHTDART_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "ret.log" wide ascii
$s2 = "Microsoft Internet Explorer 6.0" wide ascii
$s3 = "szURL Fail" wide ascii
$s4 = "szURL Successfully" wide ascii
$s5 = "%s&sdate=%04ld-%02ld-%02ld" wide ascii
strings: condition:
$s1 = "ret.log" wide ascii all of them
$s2 = "Microsoft Internet Explorer 6.0" wide ascii
$s3 = "szURL Fail" wide ascii
$s4 = "szURL Successfully" wide ascii
$s5 = "%s&sdate=%04ld-%02ld-%02ld" wide ascii
condition:
all of them
} }
rule AURIGA_APT1 { rule AURIGA_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "superhard corp." wide ascii
$s2 = "microsoft corp." wide ascii
$s3 = "[Insert]" wide ascii
$s4 = "[Delete]" wide ascii
$s5 = "[End]" wide ascii
$s6 = "!(*@)(!@KEY" wide ascii
$s7 = "!(*@)(!@SID=" wide ascii
strings: condition:
$s1 = "superhard corp." wide ascii all of them
$s2 = "microsoft corp." wide ascii
$s3 = "[Insert]" wide ascii
$s4 = "[Delete]" wide ascii
$s5 = "[End]" wide ascii
$s6 = "!(*@)(!@KEY" wide ascii
$s7 = "!(*@)(!@SID=" wide ascii
condition:
all of them
} }
rule AURIGA_driver_APT1 { rule AURIGA_driver_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "Services\\riodrv32" wide ascii
$s2 = "riodrv32.sys" wide ascii
$s3 = "svchost.exe" wide ascii
$s4 = "wuauserv.dll" wide ascii
$s5 = "arp.exe" wide ascii
$pdb = "projects\\auriga" wide ascii
strings: condition:
$s1 = "Services\\riodrv32" wide ascii all of ($s*) or $pdb
$s2 = "riodrv32.sys" wide ascii
$s3 = "svchost.exe" wide ascii
$s4 = "wuauserv.dll" wide ascii
$s5 = "arp.exe" wide ascii
$pdb = "projects\\auriga" wide ascii
condition:
all of ($s*) or $pdb
} }
rule BANGAT_APT1 { rule BANGAT_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "superhard corp." wide ascii
$s2 = "microsoft corp." wide ascii
$s3 = "[Insert]" wide ascii
$s4 = "[Delete]" wide ascii
$s5 = "[End]" wide ascii
$s6 = "!(*@)(!@KEY" wide ascii
$s7 = "!(*@)(!@SID=" wide ascii
$s8 = "end binary output" wide ascii
$s9 = "XriteProcessMemory" wide ascii
$s10 = "IE:Password-Protected sites" wide ascii
$s11 = "pstorec.dll" wide ascii
strings: condition:
$s1 = "superhard corp." wide ascii all of them
$s2 = "microsoft corp." wide ascii
$s3 = "[Insert]" wide ascii
$s4 = "[Delete]" wide ascii
$s5 = "[End]" wide ascii
$s6 = "!(*@)(!@KEY" wide ascii
$s7 = "!(*@)(!@SID=" wide ascii
$s8 = "end binary output" wide ascii
$s9 = "XriteProcessMemory" wide ascii
$s10 = "IE:Password-Protected sites" wide ascii
$s11 = "pstorec.dll" wide ascii
condition:
all of them
} }
rule BISCUIT_GREENCAT_APT1 { rule BISCUIT_GREENCAT_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "zxdosml" wide ascii
$s2 = "get user name error!" wide ascii
$s3 = "get computer name error!" wide ascii
$s4 = "----client system info----" wide ascii
$s5 = "stfile" wide ascii
$s6 = "cmd success!" wide ascii
strings: condition:
$s1 = "zxdosml" wide ascii all of them
$s2 = "get user name error!" wide ascii
$s3 = "get computer name error!" wide ascii
$s4 = "----client system info----" wide ascii
$s5 = "stfile" wide ascii
$s6 = "cmd success!" wide ascii
condition:
all of them
} }
rule BOUNCER_APT1 { rule BOUNCER_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "*Qd9kdgba33*%Wkda0Qd3kvn$*&><(*&%$E#%$#1234asdgKNAg@!gy565dtfbasdg" wide ascii
$s2 = "IDR_DATA%d" wide ascii
$s3 = "asdfqwe123cxz" wide ascii
$s4 = "Mode must be 0(encrypt) or 1(decrypt)." wide ascii
strings: condition:
$s1 = "*Qd9kdgba33*%Wkda0Qd3kvn$*&><(*&%$E#%$#1234asdgKNAg@!gy565dtfbasdg" wide ascii ($s1 and $s2) or ($s3 and $s4)
$s2 = "IDR_DATA%d" wide ascii
$s3 = "asdfqwe123cxz" wide ascii
$s4 = "Mode must be 0(encrypt) or 1(decrypt)." wide ascii
condition:
($s1 and $s2) or ($s3 and $s4)
} }
rule BOUNCER_DLL_APT1 { rule BOUNCER_DLL_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "new_connection_to_bounce():" wide ascii
$s2 = "usage:%s IP port [proxip] [port] [key]" wide ascii
strings: condition:
$s1 = "new_connection_to_bounce():" wide ascii all of them
$s2 = "usage:%s IP port [proxip] [port] [key]" wide ascii
condition:
all of them
} }
rule CALENDAR_APT1 { rule CALENDAR_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "content" wide ascii
$s2 = "title" wide ascii
$s3 = "entry" wide ascii
$s4 = "feed" wide ascii
$s5 = "DownRun success" wide ascii
$s6 = "%s@gmail.com" wide ascii
$s7 = "<!--%s-->" wide ascii
$b8 = "W4qKihsb+So=" wide ascii
$b9 = "PoqKigY7ggH+VcnqnTcmhFCo9w==" wide ascii
$b10 = "8oqKiqb5880/uJLzAsY=" wide ascii
strings: condition:
$s1 = "content" wide ascii all of ($s*) or all of ($b*)
$s2 = "title" wide ascii
$s3 = "entry" wide ascii
$s4 = "feed" wide ascii
$s5 = "DownRun success" wide ascii
$s6 = "%s@gmail.com" wide ascii
$s7 = "<!--%s-->" wide ascii
$b8 = "W4qKihsb+So=" wide ascii
$b9 = "PoqKigY7ggH+VcnqnTcmhFCo9w==" wide ascii
$b10 = "8oqKiqb5880/uJLzAsY=" wide ascii
condition:
all of ($s*) or all of ($b*)
} }
rule COMBOS_APT1 { rule COMBOS_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
strings: $s1 = "Mozilla4.0 (compatible; MSIE 7.0; Win32)" wide ascii
$s1 = "Mozilla4.0 (compatible; MSIE 7.0; Win32)" wide ascii $s2 = "Mozilla5.1 (compatible; MSIE 8.0; Win32)" wide ascii
$s2 = "Mozilla5.1 (compatible; MSIE 8.0; Win32)" wide ascii $s3 = "Delay" wide ascii
$s3 = "Delay" wide ascii $s4 = "Getfile" wide ascii
$s4 = "Getfile" wide ascii $s5 = "Putfile" wide ascii
$s5 = "Putfile" wide ascii $s6 = "---[ Virtual Shell]---" wide ascii
$s6 = "---[ Virtual Shell]---" wide ascii $s7 = "Not Comming From Our Server %s." wide ascii
$s7 = "Not Comming From Our Server %s." wide ascii
condition: condition:
all of them all of them
} }
rule DAIRY_APT1 { rule DAIRY_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "Mozilla/4.0 (compatible; MSIE 7.0;)" wide ascii
$s2 = "KilFail" wide ascii
$s3 = "KilSucc" wide ascii
$s4 = "pkkill" wide ascii
$s5 = "pklist" wide ascii
strings: condition:
$s1 = "Mozilla/4.0 (compatible; MSIE 7.0;)" wide ascii all of them
$s2 = "KilFail" wide ascii
$s3 = "KilSucc" wide ascii
$s4 = "pkkill" wide ascii
$s5 = "pklist" wide ascii
condition:
all of them
} }
rule GLOOXMAIL_APT1 { rule GLOOXMAIL_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "Kill process success!" wide ascii
$s2 = "Kill process failed!" wide ascii
$s3 = "Sleep success!" wide ascii
$s4 = "based on gloox" wide ascii
$pdb = "glooxtest.pdb" wide ascii
strings: condition:
$s1 = "Kill process success!" wide ascii all of ($s*) or $pdb
$s2 = "Kill process failed!" wide ascii
$s3 = "Sleep success!" wide ascii
$s4 = "based on gloox" wide ascii
$pdb = "glooxtest.pdb" wide ascii
condition:
all of ($s*) or $pdb
} }
rule GOGGLES_APT1 { rule GOGGLES_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "Kill process success!" wide ascii
$s2 = "Kill process failed!" wide ascii
$s3 = "Sleep success!" wide ascii
$s4 = "based on gloox" wide ascii
$pdb = "glooxtest.pdb" wide ascii
strings: condition:
$s1 = "Kill process success!" wide ascii all of ($s*) or $pdb
$s2 = "Kill process failed!" wide ascii
$s3 = "Sleep success!" wide ascii
$s4 = "based on gloox" wide ascii
$pdb = "glooxtest.pdb" wide ascii
condition:
all of ($s*) or $pdb
} }
rule HACKSFASE1_APT1 { rule HACKSFASE1_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = {cb 39 82 49 42 be 1f 3a}
strings: condition:
$s1 = {cb 39 82 49 42 be 1f 3a} all of them
condition:
all of them
} }
rule HACKSFASE2_APT1 { rule HACKSFASE2_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "Send to Server failed." wide ascii
$s2 = "HandShake with the server failed. Error:" wide ascii
$s3 = "Decryption Failed. Context Expired." wide ascii
strings: condition:
$s1 = "Send to Server failed." wide ascii all of them
$s2 = "HandShake with the server failed. Error:" wide ascii
$s3 = "Decryption Failed. Context Expired." wide ascii
condition:
all of them
} }
rule KURTON_APT1 { rule KURTON_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "Mozilla/4.0 (compatible; MSIE8.0; Windows NT 5.1)" wide ascii
$s2 = "!(*@)(!@PORT!(*@)(!@URL" wide ascii
$s3 = "MyTmpFile.Dat" wide ascii
$s4 = "SvcHost.DLL.log" wide ascii
strings: condition:
$s1 = "Mozilla/4.0 (compatible; MSIE8.0; Windows NT 5.1)" wide ascii all of them
$s2 = "!(*@)(!@PORT!(*@)(!@URL" wide ascii
$s3 = "MyTmpFile.Dat" wide ascii
$s4 = "SvcHost.DLL.log" wide ascii
condition:
all of them
} }
rule LONGRUN_APT1 { rule LONGRUN_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0)" wide ascii
$s2 = "%s\\%c%c%c%c%c%c%c" wide ascii
$s3 = "wait:" wide ascii
$s4 = "Dcryption Error! Invalid Character" wide ascii
strings: condition:
$s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0)" wide ascii all of them
$s2 = "%s\\%c%c%c%c%c%c%c" wide ascii
$s3 = "wait:" wide ascii
$s4 = "Dcryption Error! Invalid Character" wide ascii
condition:
all of them
} }
rule MACROMAIL_APT1 { rule MACROMAIL_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "svcMsn.dll" wide ascii
$s2 = "RundllInstall" wide ascii
$s3 = "Config service %s ok." wide ascii
$s4 = "svchost.exe" wide ascii
strings: condition:
$s1 = "svcMsn.dll" wide ascii all of them
$s2 = "RundllInstall" wide ascii
$s3 = "Config service %s ok." wide ascii
$s4 = "svchost.exe" wide ascii
condition:
all of them
} }
rule MANITSME_APT1 { rule MANITSME_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "Install an Service hosted by SVCHOST." wide ascii
$s2 = "The Dll file that to be released." wide ascii
$s3 = "SYSTEM\\CurrentControlSet\\Services\\" wide ascii
$s4 = "svchost.exe" wide ascii
$e1 = "Man,it's me" wide ascii
$e2 = "Oh,shit" wide ascii
$e3 = "Hallelujah" wide ascii
$e4 = "nRet == SOCKET_ERROR" wide ascii
$pdb1 = "rouji\\release\\Install.pdb" wide ascii
$pdb2 = "rouji\\SvcMain.pdb" wide ascii
strings: condition:
$s1 = "Install an Service hosted by SVCHOST." wide ascii (all of ($s*)) or (all of ($e*)) or $pdb1 or $pdb2
$s2 = "The Dll file that to be released." wide ascii
$s3 = "SYSTEM\\CurrentControlSet\\Services\\" wide ascii
$s4 = "svchost.exe" wide ascii
$e1 = "Man,it's me" wide ascii
$e2 = "Oh,shit" wide ascii
$e3 = "Hallelujah" wide ascii
$e4 = "nRet == SOCKET_ERROR" wide ascii
$pdb1 = "rouji\\release\\Install.pdb" wide ascii
$pdb2 = "rouji\\SvcMain.pdb" wide ascii
condition:
(all of ($s*)) or (all of ($e*)) or $pdb1 or $pdb2
} }
rule MINIASP_APT1 { rule MINIASP_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "miniasp" wide ascii
$s2 = "wakeup=" wide ascii
$s3 = "download ok!" wide ascii
$s4 = "command is null!" wide ascii
$s5 = "device_input.asp?device_t=" wide ascii
strings: condition:
$s1 = "miniasp" wide ascii all of them
$s2 = "wakeup=" wide ascii
$s3 = "download ok!" wide ascii
$s4 = "command is null!" wide ascii
$s5 = "device_input.asp?device_t=" wide ascii
condition:
all of them
} }
rule NEWSREELS_APT1 { rule NEWSREELS_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0)" wide ascii
$s2 = "name=%s&userid=%04d&other=%c%s" wide ascii
$s3 = "download ok!" wide ascii
$s4 = "command is null!" wide ascii
$s5 = "noclient" wide ascii
$s6 = "wait" wide ascii
$s7 = "active" wide ascii
$s8 = "hello" wide ascii
strings: condition:
$s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0)" wide ascii all of them
$s2 = "name=%s&userid=%04d&other=%c%s" wide ascii
$s3 = "download ok!" wide ascii
$s4 = "command is null!" wide ascii
$s5 = "noclient" wide ascii
$s6 = "wait" wide ascii
$s7 = "active" wide ascii
$s8 = "hello" wide ascii
condition:
all of them
} }
rule SEASALT_APT1 { rule SEASALT_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) KSMM" wide ascii
$s2 = "upfileok" wide ascii
$s3 = "download ok!" wide ascii
$s4 = "upfileer" wide ascii
$s5 = "fxftest" wide ascii
strings: condition:
$s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) KSMM" wide ascii all of them
$s2 = "upfileok" wide ascii
$s3 = "download ok!" wide ascii
$s4 = "upfileer" wide ascii
$s5 = "fxftest" wide ascii
condition:
all of them
} }
rule STARSYPOUND_APT1
{
rule STARSYPOUND_APT1 {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "*(SY)# cmd" wide ascii
$s2 = "send = %d" wide ascii
$s3 = "cmd.exe" wide ascii
$s4 = "*(SY)#" wide ascii
strings: condition:
$s1 = "*(SY)# cmd" wide ascii all of them
$s2 = "send = %d" wide ascii
$s3 = "cmd.exe" wide ascii
$s4 = "*(SY)#" wide ascii
condition:
all of them
} }
rule SWORD_APT1 { rule SWORD_APT1
{
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "@***@*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>>>" wide ascii
$s2 = "sleep:" wide ascii
$s3 = "down:" wide ascii
$s4 = "*========== Bye Bye ! ==========*" wide ascii
strings: condition:
$s1 = "@***@*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>>>" wide ascii all of them
$s2 = "sleep:" wide ascii
$s3 = "down:" wide ascii
$s4 = "*========== Bye Bye ! ==========*" wide ascii
condition:
all of them
} }
rule thequickbrow_APT1
{
rule thequickbrow_APT1 {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "thequickbrownfxjmpsvalzydg" wide ascii
strings: condition:
$s1 = "thequickbrownfxjmpsvalzydg" wide ascii all of them
condition:
all of them
} }
rule TABMSGSQL_APT1
{
rule TABMSGSQL_APT1 {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$s1 = "letusgohtppmmv2.0.0.1" wide ascii
$s2 = "Mozilla/4.0 (compatible; )" wide ascii
$s3 = "filestoc" wide ascii
$s4 = "filectos" wide ascii
$s5 = "reshell" wide ascii
strings: condition:
$s1 = "letusgohtppmmv2.0.0.1" wide ascii all of them
$s2 = "Mozilla/4.0 (compatible; )" wide ascii
$s3 = "filestoc" wide ascii
$s4 = "filectos" wide ascii
$s5 = "reshell" wide ascii
condition:
all of them
} }
rule CCREWBACK1 rule CCREWBACK1
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$a = "postvalue" wide ascii
$b = "postdata" wide ascii
$c = "postfile" wide ascii
$d = "hostname" wide ascii
$e = "clientkey" wide ascii
$f = "start Cmd Failure!" wide ascii
$g = "sleep:" wide ascii
$h = "downloadcopy:" wide ascii
$i = "download:" wide ascii
$j = "geturl:" wide ascii
$k = "1.234.1.68" wide ascii
strings: condition:
$a = "postvalue" wide ascii 4 of ($a,$b,$c,$d,$e) or $f or 3 of ($g,$h,$i,$j) or $k
$b = "postdata" wide ascii
$c = "postfile" wide ascii
$d = "hostname" wide ascii
$e = "clientkey" wide ascii
$f = "start Cmd Failure!" wide ascii
$g = "sleep:" wide ascii
$h = "downloadcopy:" wide ascii
$i = "download:" wide ascii
$j = "geturl:" wide ascii
$k = "1.234.1.68" wide ascii
condition:
4 of ($a,$b,$c,$d,$e) or $f or 3 of ($g,$h,$i,$j) or $k
} }
rule TrojanCookies_CCREW rule TrojanCookies_CCREW
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$a = "sleep:" wide ascii
$b = "content=" wide ascii
$c = "reqpath=" wide ascii
$d = "savepath=" wide ascii
$e = "command=" wide ascii
strings: condition:
$a = "sleep:" wide ascii 4 of ($a,$b,$c,$d,$e)
$b = "content=" wide ascii
$c = "reqpath=" wide ascii
$d = "savepath=" wide ascii
$e = "command=" wide ascii
condition:
4 of ($a,$b,$c,$d,$e)
} }
rule GEN_CCREW1 rule GEN_CCREW1
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$a = "W!r@o#n$g" wide ascii
$b = "KerNel32.dll" wide ascii
strings: condition:
$a = "W!r@o#n$g" wide ascii any of them
$b = "KerNel32.dll" wide ascii
condition:
any of them
} }
rule Elise rule Elise
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$a = "SetElise.pdb" wide ascii
strings: condition:
$a = "SetElise.pdb" wide ascii $a
condition:
$a
} }
rule EclipseSunCloudRAT rule EclipseSunCloudRAT
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$a = "Eclipse_A" wide ascii
$b = "\\PJTS\\" wide ascii
$c = "Eclipse_Client_B.pdb" wide ascii
$d = "XiaoME" wide ascii
$e = "SunCloud-Code" wide ascii
$f = "/uc_server/data/forum.asp" wide ascii
strings: condition:
$a = "Eclipse_A" wide ascii any of them
$b = "\\PJTS\\" wide ascii
$c = "Eclipse_Client_B.pdb" wide ascii
$d = "XiaoME" wide ascii
$e = "SunCloud-Code" wide ascii
$f = "/uc_server/data/forum.asp" wide ascii
condition:
any of them
} }
rule MoonProject rule MoonProject
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$a = "Serverfile is smaller than Clientfile" wide ascii $a = "Serverfile is smaller than Clientfile" wide ascii
$b = "\\M tools\\" wide ascii $b = "\\M tools\\" wide ascii
$c = "MoonDLL" wide ascii $c = "MoonDLL" wide ascii
$d = "\\M tools\\" wide ascii $d = "\\M tools\\" wide ascii
condition: condition:
any of them any of them
} }
rule ccrewDownloader1 rule ccrewDownloader1
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$a = {DD B5 61 F0 20 47 20 57 D6 65 9C CB 31 1B 65 42}
strings: condition:
$a = {DD B5 61 F0 20 47 20 57 D6 65 9C CB 31 1B 65 42} any of them
condition:
any of them
} }
rule ccrewDownloader2 rule ccrewDownloader2
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$a = "3gZFQOBtY3sifNOl" wide ascii $a = "3gZFQOBtY3sifNOl" wide ascii
$b = "docbWUWsc2gRMv9HN7TFnvnKcrWUUFdAEem9DkqRALoD" wide ascii $b = "docbWUWsc2gRMv9HN7TFnvnKcrWUUFdAEem9DkqRALoD" wide ascii
$c = "6QVSOZHQPCMc2A8HXdsfuNZcmUnIqWrOIjrjwOeagILnnScxadKEr1H2MZNwSnaJ" wide ascii $c = "6QVSOZHQPCMc2A8HXdsfuNZcmUnIqWrOIjrjwOeagILnnScxadKEr1H2MZNwSnaJ" wide ascii
condition: condition:
any of them any of them
} }
rule ccrewMiniasp rule ccrewMiniasp
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$a = "MiniAsp.pdb" wide ascii $a = "MiniAsp.pdb" wide ascii
$b = "device_t=" wide ascii $b = "device_t=" wide ascii
condition: condition:
any of them any of them
} }
rule ccrewSSLBack2 rule ccrewSSLBack2
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$a = {39 82 49 42 BE 1F 3A}
strings: condition:
$a = {39 82 49 42 BE 1F 3A} any of them
condition:
any of them
} }
rule ccrewSSLBack3 rule ccrewSSLBack3
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$a = "SLYHKAAY" wide ascii $a = "SLYHKAAY" wide ascii
condition: condition:
any of them any of them
} }
rule ccrewSSLBack1 rule ccrewSSLBack1
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$a = "!@#%$^#@!" wide ascii $a = "!@#%$^#@!" wide ascii
$b = "64.91.80.6" wide ascii $b = "64.91.80.6" wide ascii
condition: condition:
any of them any of them
} }
rule ccrewDownloader3 rule ccrewDownloader3
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$a = "ejlcmbv" wide ascii $a = "ejlcmbv" wide ascii
$b = "bhxjuisv" wide ascii $b = "bhxjuisv" wide ascii
$c = "yqzgrh" wide ascii $c = "yqzgrh" wide ascii
$d = "uqusofrp" wide ascii $d = "uqusofrp" wide ascii
$e = "Ljpltmivvdcbb" wide ascii $e = "Ljpltmivvdcbb" wide ascii
$f = "frfogjviirr" wide ascii $f = "frfogjviirr" wide ascii
$g = "ximhttoskop" wide ascii $g = "ximhttoskop" wide ascii
condition:
4 of them
}
condition:
4 of them
}
rule ccrewQAZ rule ccrewQAZ
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$a = "!QAZ@WSX" wide ascii $a = "!QAZ@WSX" wide ascii
condition: condition:
$a $a
} }
rule metaxcd rule metaxcd
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$a = "<meta xcd=" wide ascii
strings: condition:
$a = "<meta xcd=" wide ascii $a
condition:
$a
} }
rule MiniASP rule MiniASP
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings:
$KEY = { 71 30 6E 63 39 77 38 65 64 61 6F 69 75 6B 32 6D 7A 72 66 79 33 78 74 31 70 35 6C 73 36 37 67 34 62 76 68 6A }
$PDB = "MiniAsp.pdb" nocase wide ascii
strings: condition:
$KEY = { 71 30 6E 63 39 77 38 65 64 61 6F 69 75 6B 32 6D 7A 72 66 79 33 78 74 31 70 35 6C 73 36 37 67 34 62 76 68 6A } any of them
$PDB = "MiniAsp.pdb" nocase wide ascii
condition:
any of them
} }
rule DownloaderPossibleCCrew rule DownloaderPossibleCCrew
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$a = "%s?%.6u" wide ascii $a = "%s?%.6u" wide ascii
$b = "szFileUrl=%s" wide ascii $b = "szFileUrl=%s" wide ascii
$c = "status=%u" wide ascii $c = "status=%u" wide ascii
$d = "down file success" wide ascii $d = "down file success" wide ascii
$e = "Mozilla/4.0 (compatible; MSIE 6.0; Win32)" wide ascii $e = "Mozilla/4.0 (compatible; MSIE 6.0; Win32)" wide ascii
condition: condition:
all of them all of them
} }
rule APT1_MAPIGET rule APT1_MAPIGET
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$s1 = "%s\\Attachment.dat" wide ascii $s1 = "%s\\Attachment.dat" wide ascii
$s2 = "MyOutlook" wide ascii $s2 = "MyOutlook" wide ascii
...@@ -704,93 +752,103 @@ rule APT1_MAPIGET ...@@ -704,93 +752,103 @@ rule APT1_MAPIGET
$s5 = "Subject:" wide ascii $s5 = "Subject:" wide ascii
condition: condition:
all of them all of them
} }
rule APT1_LIGHTBOLT rule APT1_LIGHTBOLT
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$str1 = "bits.exe" wide ascii $str1 = "bits.exe" wide ascii
$str2 = "PDFBROW" wide ascii $str2 = "PDFBROW" wide ascii
$str3 = "Browser.exe" wide ascii $str3 = "Browser.exe" wide ascii
$str4 = "Protect!" wide ascii $str4 = "Protect!" wide ascii
condition: condition:
2 of them 2 of them
} }
rule APT1_GETMAIL rule APT1_GETMAIL
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$stra1 = "pls give the FULL path" wide ascii $stra1 = "pls give the FULL path" wide ascii
$stra2 = "mapi32.dll" wide ascii $stra2 = "mapi32.dll" wide ascii
$stra3 = "doCompress" wide ascii $stra3 = "doCompress" wide ascii
$strb1 = "getmail.dll" wide ascii $strb1 = "getmail.dll" wide ascii
$strb2 = "doCompress" wide ascii $strb2 = "doCompress" wide ascii
$strb3 = "love" wide ascii $strb3 = "love" wide ascii
condition: condition:
all of ($stra*) or all of ($strb*) all of ($stra*) or all of ($strb*)
} }
rule APT1_GDOCUPLOAD rule APT1_GDOCUPLOAD
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$str1 = "name=\"GALX\"" wide ascii $str1 = "name=\"GALX\"" wide ascii
$str2 = "User-Agent: Shockwave Flash" wide ascii $str2 = "User-Agent: Shockwave Flash" wide ascii
$str3 = "add cookie failed..." wide ascii $str3 = "add cookie failed..." wide ascii
$str4 = ",speed=%f" wide ascii $str4 = ",speed=%f" wide ascii
condition: condition:
3 of them 3 of them
} }
rule APT1_WEBC2_Y21K rule APT1_WEBC2_Y21K
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$1 = "Y29ubmVjdA" wide ascii // connect $1 = "Y29ubmVjdA" wide ascii // connect
$2 = "c2xlZXA" wide ascii // sleep $2 = "c2xlZXA" wide ascii // sleep
$3 = "cXVpdA" wide ascii // quit $3 = "cXVpdA" wide ascii // quit
$4 = "Y21k" wide ascii // cmd $4 = "Y21k" wide ascii // cmd
$5 = "dW5zdXBwb3J0" wide ascii // unsupport $5 = "dW5zdXBwb3J0" wide ascii // unsupport
condition: condition:
4 of them 4 of them
} }
rule APT1_WEBC2_YAHOO rule APT1_WEBC2_YAHOO
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$http1 = "HTTP/1.0" wide ascii $http1 = "HTTP/1.0" wide ascii
$http2 = "Content-Type:" wide ascii $http2 = "Content-Type:" wide ascii
$uagent = "IPHONE8.5(host:%s,ip:%s)" wide ascii $uagent = "IPHONE8.5(host:%s,ip:%s)" wide ascii
condition: condition:
all of them all of them
} }
rule APT1_WEBC2_UGX rule APT1_WEBC2_UGX
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$persis = "SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN" wide ascii $persis = "SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN" wide ascii
$exe = "DefWatch.exe" wide ascii $exe = "DefWatch.exe" wide ascii
...@@ -798,123 +856,139 @@ rule APT1_WEBC2_UGX ...@@ -798,123 +856,139 @@ rule APT1_WEBC2_UGX
$cmd1 = "!@#tiuq#@!" wide ascii $cmd1 = "!@#tiuq#@!" wide ascii
$cmd2 = "!@#dmc#@!" wide ascii $cmd2 = "!@#dmc#@!" wide ascii
$cmd3 = "!@#troppusnu#@!" wide ascii $cmd3 = "!@#troppusnu#@!" wide ascii
condition: condition:
3 of them 3 of them
} }
rule APT1_WEBC2_TOCK rule APT1_WEBC2_TOCK
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$1 = "InprocServer32" wide ascii $1 = "InprocServer32" wide ascii
$2 = "HKEY_PERFORMANCE_DATA" wide ascii $2 = "HKEY_PERFORMANCE_DATA" wide ascii
$3 = "<!---[<if IE 5>]id=" wide ascii $3 = "<!---[<if IE 5>]id=" wide ascii
condition: condition:
all of them all of them
} }
rule APT1_WEBC2_TABLE rule APT1_WEBC2_TABLE
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$msg1 = "Fail To Execute The Command" wide ascii $msg1 = "Fail To Execute The Command" wide ascii
$msg2 = "Execute The Command Successfully" wide ascii $msg2 = "Execute The Command Successfully" wide ascii
/* /*
$gif1 = /\w+\.gif/ $gif1 = /\w+\.gif/
*/ */
$gif2 = "GIF89" wide ascii $gif2 = "GIF89" wide ascii
condition: condition:
3 of them 3 of them
} }
rule APT1_WEBC2_RAVE rule APT1_WEBC2_RAVE
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$1 = "iniet.exe" wide ascii $1 = "iniet.exe" wide ascii
$2 = "cmd.exe" wide ascii $2 = "cmd.exe" wide ascii
$3 = "SYSTEM\\CurrentControlSet\\Services\\DEVFS" wide ascii $3 = "SYSTEM\\CurrentControlSet\\Services\\DEVFS" wide ascii
$4 = "Device File System" wide ascii $4 = "Device File System" wide ascii
condition: condition:
3 of them 3 of them
} }
rule APT1_WEBC2_QBP rule APT1_WEBC2_QBP
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$1 = "2010QBP" wide ascii $1 = "2010QBP" wide ascii
$2 = "adobe_sl.exe" wide ascii $2 = "adobe_sl.exe" wide ascii
$3 = "URLDownloadToCacheFile" wide ascii $3 = "URLDownloadToCacheFile" wide ascii
$4 = "dnsapi.dll" wide ascii $4 = "dnsapi.dll" wide ascii
$5 = "urlmon.dll" wide ascii $5 = "urlmon.dll" wide ascii
condition: condition:
4 of them 4 of them
} }
rule APT1_WEBC2_HEAD rule APT1_WEBC2_HEAD
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$1 = "Ready!" wide ascii $1 = "Ready!" wide ascii
$2 = "connect ok" wide ascii $2 = "connect ok" wide ascii
$3 = "WinHTTP 1.0" wide ascii $3 = "WinHTTP 1.0" wide ascii
$4 = "<head>" wide ascii $4 = "<head>" wide ascii
condition: condition:
all of them all of them
} }
rule APT1_WEBC2_GREENCAT rule APT1_WEBC2_GREENCAT
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$1 = "reader_sl.exe" wide ascii $1 = "reader_sl.exe" wide ascii
$2 = "MS80547.bat" wide ascii $2 = "MS80547.bat" wide ascii
$3 = "ADR32" wide ascii $3 = "ADR32" wide ascii
$4 = "ControlService failed!" wide ascii $4 = "ControlService failed!" wide ascii
condition: condition:
3 of them 3 of them
} }
rule APT1_WEBC2_DIV rule APT1_WEBC2_DIV
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$1 = "3DC76854-C328-43D7-9E07-24BF894F8EF5" wide ascii $1 = "3DC76854-C328-43D7-9E07-24BF894F8EF5" wide ascii
$2 = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide ascii $2 = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide ascii
$3 = "Hello from MFC!" wide ascii $3 = "Hello from MFC!" wide ascii
$4 = "Microsoft Internet Explorer" wide ascii $4 = "Microsoft Internet Explorer" wide ascii
condition: condition:
3 of them 3 of them
} }
rule APT1_WEBC2_CSON rule APT1_WEBC2_CSON
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$httpa1 = "/Default.aspx?INDEX=" wide ascii $httpa1 = "/Default.aspx?INDEX=" wide ascii
$httpa2 = "/Default.aspx?ID=" wide ascii $httpa2 = "/Default.aspx?ID=" wide ascii
...@@ -922,16 +996,18 @@ rule APT1_WEBC2_CSON ...@@ -922,16 +996,18 @@ rule APT1_WEBC2_CSON
$httpb2 = "Accept: text*/*" wide ascii $httpb2 = "Accept: text*/*" wide ascii
$exe1 = "xcmd.exe" wide ascii $exe1 = "xcmd.exe" wide ascii
$exe2 = "Google.exe" wide ascii $exe2 = "Google.exe" wide ascii
condition: condition:
1 of ($exe*) and 1 of ($httpa*) and all of ($httpb*) 1 of ($exe*) and 1 of ($httpa*) and all of ($httpb*)
} }
rule APT1_WEBC2_CLOVER rule APT1_WEBC2_CLOVER
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$msg1 = "BUILD ERROR!" wide ascii $msg1 = "BUILD ERROR!" wide ascii
$msg2 = "SUCCESS!" wide ascii $msg2 = "SUCCESS!" wide ascii
...@@ -940,6 +1016,7 @@ rule APT1_WEBC2_CLOVER ...@@ -940,6 +1016,7 @@ rule APT1_WEBC2_CLOVER
$msg5 = "insufficient lookahead" wide ascii $msg5 = "insufficient lookahead" wide ascii
$ua1 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1)" wide ascii $ua1 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1)" wide ascii
$ua2 = "Mozilla/5.0 (Windows; Windows NT 5.1; en-US; rv:1.8.0.12) Firefox/1.5.0.12" wide ascii $ua2 = "Mozilla/5.0 (Windows; Windows NT 5.1; en-US; rv:1.8.0.12) Firefox/1.5.0.12" wide ascii
condition: condition:
2 of ($msg*) and 1 of ($ua*) 2 of ($msg*) and 1 of ($ua*)
} }
...@@ -949,80 +1026,90 @@ rule APT1_WEBC2_BOLID ...@@ -949,80 +1026,90 @@ rule APT1_WEBC2_BOLID
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$vm = "VMProtect" wide ascii $vm = "VMProtect" wide ascii
$http = "http://[c2_location]/[page].html" wide ascii $http = "http://[c2_location]/[page].html" wide ascii
condition: condition:
all of them all of them
} }
rule APT1_WEBC2_ADSPACE rule APT1_WEBC2_ADSPACE
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$1 = "<!---HEADER ADSPACE style=" wide ascii $1 = "<!---HEADER ADSPACE style=" wide ascii
$2 = "ERSVC.DLL" wide ascii $2 = "ERSVC.DLL" wide ascii
condition: condition:
all of them all of them
} }
rule APT1_WEBC2_AUSOV rule APT1_WEBC2_AUSOV
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$1 = "ntshrui.dll" wide ascii $1 = "ntshrui.dll" wide ascii
$2 = "%SystemRoot%\\System32\\" wide ascii $2 = "%SystemRoot%\\System32\\" wide ascii
$3 = "<!--DOCHTML" wide ascii $3 = "<!--DOCHTML" wide ascii
$4 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" wide ascii $4 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" wide ascii
$5 = "Ausov" wide ascii $5 = "Ausov" wide ascii
condition: condition:
4 of them 4 of them
} }
rule APT1_WARP rule APT1_WARP
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$err1 = "exception..." wide ascii $err1 = "exception..." wide ascii
$err2 = "failed..." wide ascii $err2 = "failed..." wide ascii
$err3 = "opened..." wide ascii $err3 = "opened..." wide ascii
$exe1 = "cmd.exe" wide ascii $exe1 = "cmd.exe" wide ascii
$exe2 = "ISUN32.EXE" wide ascii $exe2 = "ISUN32.EXE" wide ascii
condition: condition:
2 of ($err*) and all of ($exe*) 2 of ($err*) and all of ($exe*)
} }
rule APT1_TARSIP_ECLIPSE rule APT1_TARSIP_ECLIPSE
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$1 = "\\pipe\\ssnp" wide ascii $1 = "\\pipe\\ssnp" wide ascii
$2 = "toobu.ini" wide ascii $2 = "toobu.ini" wide ascii
$3 = "Serverfile is not bigger than Clientfile" wide ascii $3 = "Serverfile is not bigger than Clientfile" wide ascii
$4 = "URL download success" wide ascii $4 = "URL download success" wide ascii
condition: condition:
3 of them 3 of them
} }
rule APT1_TARSIP_MOON rule APT1_TARSIP_MOON
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$s1 = "\\XiaoME\\SunCloud-Code\\moon" wide ascii $s1 = "\\XiaoME\\SunCloud-Code\\moon" wide ascii
$s2 = "URL download success!" wide ascii $s2 = "URL download success!" wide ascii
...@@ -1033,14 +1120,15 @@ rule APT1_TARSIP_MOON ...@@ -1033,14 +1120,15 @@ rule APT1_TARSIP_MOON
$msg4 = "Runas success!" wide ascii $msg4 = "Runas success!" wide ascii
$onec1 = "onec.php" wide ascii $onec1 = "onec.php" wide ascii
$onec2 = "/bin/onec" wide ascii $onec2 = "/bin/onec" wide ascii
condition: condition:
1 of ($s*) and 1 of ($msg*) and 1 of ($onec*) 1 of ($s*) and 1 of ($msg*) and 1 of ($onec*)
} }
// 20150909 - Issue #39 - Commented because of High FP rate
/* /*
rule APT1_payloads rule APT1_payloads
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
...@@ -1080,6 +1168,7 @@ rule APT1_payloads ...@@ -1080,6 +1168,7 @@ rule APT1_payloads
$pay32 = "ISUN32.EXE" wide ascii $pay32 = "ISUN32.EXE" wide ascii
$pay33 = "AcroRD32.EXE" wide ascii $pay33 = "AcroRD32.EXE" wide ascii
$pay34 = "INETINFO.EXE" wide ascii $pay34 = "INETINFO.EXE" wide ascii
condition: condition:
1 of them 1 of them
} }
...@@ -1087,30 +1176,26 @@ rule APT1_payloads ...@@ -1087,30 +1176,26 @@ rule APT1_payloads
rule APT1_RARSilent_EXE_PDF rule APT1_RARSilent_EXE_PDF
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$winrar1 = "WINRAR.SFX" wide ascii $winrar1 = "WINRAR.SFX" wide ascii
/* $str2 = "Steup=" wide ascii
$winrar2 = ";The comment below contains SFX script commands" wide ascii
$winrar3 = "Silent=1" wide ascii
*/
/*$str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/
*/
$str2 = "Steup=\"" wide ascii
condition: condition:
all of ($winrar*) and 1 of ($str*) all of them
} }
rule APT1_aspnetreport rule APT1_aspnetreport
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$url = "aspnet_client/report.asp" wide ascii $url = "aspnet_client/report.asp" wide ascii
$param = "name=%s&Gender=%c&Random=%04d&SessionKey=%s" wide ascii $param = "name=%s&Gender=%c&Random=%04d&SessionKey=%s" wide ascii
...@@ -1148,16 +1233,18 @@ rule APT1_aspnetreport ...@@ -1148,16 +1233,18 @@ rule APT1_aspnetreport
$pay32 = "ISUN32.EXE" wide ascii $pay32 = "ISUN32.EXE" wide ascii
$pay33 = "AcroRD32.EXE" wide ascii $pay33 = "AcroRD32.EXE" wide ascii
$pay34 = "INETINFO.EXE" wide ascii $pay34 = "INETINFO.EXE" wide ascii
condition: condition:
$url and $param and 1 of ($pay*) $url and $param and 1 of ($pay*)
} }
rule APT1_Revird_svc rule APT1_Revird_svc
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$dll1 = "nwwwks.dll" wide ascii $dll1 = "nwwwks.dll" wide ascii
$dll2 = "rdisk.dll" wide ascii $dll2 = "rdisk.dll" wide ascii
...@@ -1168,16 +1255,18 @@ rule APT1_Revird_svc ...@@ -1168,16 +1255,18 @@ rule APT1_Revird_svc
$svc3 = "RundllUninstallA" wide ascii $svc3 = "RundllUninstallA" wide ascii
$svc4 = "ServiceMain" wide ascii $svc4 = "ServiceMain" wide ascii
$svc5 = "UninstallService" wide ascii $svc5 = "UninstallService" wide ascii
condition: condition:
1 of ($dll*) and 2 of ($svc*) 1 of ($dll*) and 2 of ($svc*)
} }
rule APT1_dbg_mess rule APT1_dbg_mess
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$dbg1 = "Down file ok!" wide ascii $dbg1 = "Down file ok!" wide ascii
$dbg2 = "Send file ok!" wide ascii $dbg2 = "Send file ok!" wide ascii
...@@ -1219,24 +1308,25 @@ rule APT1_dbg_mess ...@@ -1219,24 +1308,25 @@ rule APT1_dbg_mess
$pay31 = "a.bin" wide ascii $pay31 = "a.bin" wide ascii
$pay32 = "ISUN32.EXE" wide ascii $pay32 = "ISUN32.EXE" wide ascii
$pay33 = "AcroRD32.EXE" wide ascii $pay33 = "AcroRD32.EXE" wide ascii
$pay34 = "INETINFO.EXE" wide ascii $pay34 = "INETINFO.EXE" wide ascii
condition: condition:
4 of ($dbg*) and 1 of ($pay*) 4 of ($dbg*) and 1 of ($pay*)
} }
rule APT1_known_malicious_RARSilent rule APT1_known_malicious_RARSilent
{ {
meta: meta:
author = "AlienVault Labs" author = "AlienVault Labs"
info = "CommentCrew-threat-apt1" info = "CommentCrew-threat-apt1"
strings: strings:
$str1 = "Analysis And Outlook.doc\"" wide ascii $str1 = "Analysis And Outlook.doc" wide ascii
$str2 = "North Korean launch.pdf\"" wide ascii $str2 = "North Korean launch.pdf" wide ascii
$str3 = "Dollar General.doc\"" wide ascii $str3 = "Dollar General.doc" wide ascii
$str4 = "Dow Corning Corp.pdf\"" wide ascii $str4 = "Dow Corning Corp.pdf" wide ascii
condition: condition:
1 of them and APT1_RARSilent_EXE_PDF 1 of them and APT1_RARSilent_EXE_PDF
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment